by Irene Corpuz
I started working in an organization where conducting ISO Certification is one of the key services delivered. As expected, we should lead by example. Hence, the management decided to implement a full-time Quality Department to oversee the implementation of ISO 9001 to ensure that we put the standards in our hearts, not just on the certificate as framed on the wall. When I left the organization, the principle of standards had been engraved in my system. For me, any ISO standard should be a way of life, a part of a company’s culture. As long as you know the standard and implement it seriously, you need not be certified at all! Compliance is more important than certification.
Being in IT, specifically Information Security, I look forward to project management of a full ISO 27001 implementation. Instead, since I work in a government entity, I got involved in the implementation of the Abu Dhabi government’s ADSIC Information Security Standards, and most recently the NESA’s Information Assurance Standard (IAS). Both the ADSIC and IAS are mandated to government entities, but the ISO 27001 is optional. I crave the ability to implement the ISO 27001, and therefore, I decided to implement it in parallel with ADSIC Standards in 2013, and now, with NESA IAS. Doing so gives me an opportunity to understand similarities and differences between the standards and gain a wider perspective of various security standards’ implementation strategies. All of these cover the information security triad anyway – Confidentiality, Integrity and Availability.
We have all known that ISO has long been an existing organization that publishes international standards, including ISO 27001:2013. ISO 27001 is an excellent basic standard for any company who wants to protect and secure their information, minimize risk and ensure business continuity by limiting the impact of any security breach. ISO is still by far the most popular standard globally, it provides the framework for managing security, and it is the only one against which a certificate can be issued. Being ISO 27001 certified gives your client the assurance that you implement and comply with the global standards.
On the other hand, the NESA (National Electronic Security Authority), is a UAE government body established in 2012, the first national authority for cybersecurity in the region, with the objective to combat online threats to military and critical installations. NESA has produced a set of standards and guidance for government entities in the UAE. Compliance with these standards is mandatory. NESA adopted a number of controls from the already established and existing ISO 27001 and NIST. Therefore, implementing the IAS is like hitting two birds in one shot.
In ISO 27001, the organization may call for a certification audit when they are ready and have the confidence to show and effective and efficient implementation of the standard. At a minimum, an organization should be able to show evidence of at least six months of implementation with records as evidence of compliance. The organization may be certified with a few minor non-conformities. However, a significant numberof minor non-conformities may be equated to a major non-conformity and need to be addressed before a certificate can be issued.
NESA, on the other hand, operates on a tiered approach. It uses four levels of monitoring to manage stakeholder compliance across all aspects of the framework. The level of risk an organization poses to the UAE will determine how the regulators and the NESA will work with the organization.
NESA identified 24 threats according to various industry reports. There are 39 P1 (Priority 1) controls out of 188. This constitutes 20% of the total IAS controls. Applying the Pareto principle, implementing the P1 controls addresses 80% of the possible threats to the organization. That means a big leap towards complianceto the IAS. There are no penalties prescribed by NESA, however, since the standard is based on identified real-world threats, a non-compliance, particularly on P1 controls, leaves the organization exposed to attacks.
The Management Commitment should not be neglected. This is mandatory to both ISO 27001 & NESA. Being a consultant in my previous job, I have seen how the management slides back upon receiving the ISO certification, and rises up during certification surveillance audits. It must be noted, though, that since the IAS comes as a mandatory requirement on a Federal Level, it follows that the management of each entity supports its implementation.
For private organizations, the benefits of the ISO 27001 must be realized as one of the tools that responds to rising customer expectations in relation to the security of their information, and therefore, must not be taken as a matter of requirement to regulations only but a way of life.
Executing both the ISO 27001 and the NESA Information Assurance Standard is an effective and exciting learning journey for Information Security implementers. There is a sense of fulfillment that, though not required, achieving compliance to the NESA IAS equates to achieving compliance to ISO 27001. However, do not underestimate the effort required. One who works in implementing the standard should be focused and full time. It is both a great opportunity and rewarding.
For the full article and experiences from other experts, please download your copy of the PenTest Magazine https://pentestmag.com/download/pentest-iso-27001/
Disclaimer: The content of this article purely reflects the author’s individual knowledge and opinion of the subject and does not represent in any way the organization with which she works.